By default mod_auth of Apache 2.2 would allow only users from bestmates to authenticate, and randomguy won’t have access because he doesn’t belong to the group. In other words, require user directive would be entirely ignored.

To allow both group and user, simply add AuthzGroupFileAuthoritative Off to your configuration (.htaccess/httpd.conf or wherever).